Can't access Backup router after HA/CARP enabled
-
I have two xg-7100-1u routers on the same version.
I have configured CARP VIP's for 3 local subnets on primary and the respective x.x.x.2(primary) & x.x.x.3(backup) IP's on eth's 6, 7, 8 on both routers
Cisco switch stack has 6 ports in access mode connected to eth's 6, 7, 8 on both routers
I'm on one of the subnets and can access/ping the primary router via any VIP or x.x.x.2 IP no problem
However the backup router can only be accessed via the LAN port(192.168.1.1) on eth2 which I directly connect to my PC and use to configure interfaces/rules before I enabled HA pfsync/xmlrpc
I can't ping any of the x.x.x.3 IP's on eth's 6, 7, 8 on backup
I have configured the IX1 interface, 192.168.3.1/30(primary) & 192.168.3.2/30(backup)
Once I establish connection on IX1, enabled HA pfsync/xmlrpc, I can't access the backup router via LAN port on eth2 anymore, and x.x.x.3 IP's don't respond either.
I can use the console to access the backup router.
Perhaps I have configured the routers in the wrong order?
Is HA/CARP going to work for my local subnets?On a side note, I only have one WAN IP, and I was NOT able to apply public WAN gateway IP to a private /30 subnet on WAN interface.
Anyway, any help would be appreciated, Thanks!
-
I have exactly the same problem with my two XG-7100 in HA mode.
Some help would be really appreciated. -
Those carp addresses should be the same subnet mask as the network they live on, ie: should be /24 if the interfaces on the master and salve firewalls are /24/
-
Today I had an idea. I disabled the firewall with
pfctl -d
on the second device.
Access was possible again.After syncing the config from the first to the second pfsense, I enabled the firewall again with
pfctl -e
. You might want to reboot your device at this point.Now it works again.
I must have messed up something with the firewall rules, and it was applied to the second pfsense, and then I was locked out as well as my first firewall from the gui. I have no other explanation for my situation.You can follow the guide from the docs (found that later): https://docs.netgate.com/pfsense/en/latest/book/config/what-to-do-when-locked-out-of-the-webgui.html#disable-the-firewall
also check, what @jgraham5481 said in Can't access Backup router after HA/CARP enabled:
Those carp addresses should be the same subnet mask as the network they live on, ie: should be /24 if the interfaces on the master and salve firewalls are /24/